[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
This particular error message caused Uncle Google to speak in riddles, many of the forum posts that were found led to non answers. After fumbling around a bit, I noticed that another Apache log " nss_error_log" was being updated and displayed the following error messages:
[error] Certificate not verified: 'Server-Cert'
[error] SSL Library Error: -8181 Certificate has expired
[error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
Now we've found the root cause of our issue it is in a module called nss. I never noticed it before so another visit to Uncle Google actually turned up some interesting reading and several solutions. In short mod_nss is an alternative to mod_ssl it does a few things that mod_ssl doesn't do, and can run along side mod_ssl.
Since I'm not now an expert on mod_nss, I'll leave the gory details of how to set it up and what it does to these articles [What is mod_nss , On Setting up Mod_NSS ,More detail ] but suffice it to say chances are if you didn't know you were using it you may not need it. If you are inheriting a system you probably want to dig deeper into why it is there. Below I'm listing four possible solutions.
- Simply do as the error message above says add NSSEnforceValidCerts off to your nss.conf file which is usually located in /etc/httpd/conf.d. The downside to this is that your nss_error_log will continue to get messages like "SSL Library Error: -8181 Certificate has expired"
- Remove nss.conf from /etc/httpd/conf.d this will of course cause mod_nss to not be loaded.
- Uninstall/re-install your nss rpm modules on re-installation a new certificate will be generated and your problem will go away for a few more years
- Properly setup your nss db or trust store using the certutil command. (you can Google for more details)
No comments:
Post a Comment